GCHQ Says Hackers Have Likely Compromised UK Energy Sector Targets

The news comes after the FBI and Homeland Security warned hackers had targeted US energy firms too.

A UK cybersecurity authority has issued a warning about hackers targeting the country's energy sector, and says that some industrial control system organizations are likely to have been successfully compromised, according to a copy of the document obtained by Motherboard.

The document was produced by the National Cyber Security Centre (NCSC), part of the UK's intelligence agency GCHQ.

"The NCSC is aware of connections from multiple UK IP addresses to infrastructure associated with advanced state-sponsored hostile threat actors, who are known to target the energy and manufacturing sectors," a section of the warning reads. An industry source provided the report to Motherboard. Motherboard granted the source anonymity to provide information on sensitive investigations.

NCSC believes that due to the use of wide-spread targeting by the attacker, a number of Industrial Control System engineering and services organisations are likely to have been compromised

The activity is also targeting other sectors, with a focus on engineering, industrial control, and water sector companies. This recent wave of activity started around June 8, according to the report.

The document adds that it is likely hackers have managed to break into at least some of the targets' systems.

"NCSC believes that due to the use of wide-spread targeting by the attacker, a number of Industrial Control System engineering and services organisations are likely to have been compromised," another section of the warning reads. The report says that these organizations are part of the supply chain for UK critical national infrastructure, and some are likely to have remote access to critical systems.

An NCSC spokesperson told Motherboard in an email, "We are aware of reports of malicious cyber activity targeting the energy sector around the globe. We are liaising with our counterparts to better understand the threat and continue to manage any risks to the UK."

Motherboard confirmed the authenticity of the document with two other sources who also requested anonymity.

The motivation behind these hacking attempts is unclear. As the report mentions, state-sponsored hackers have previously targeted the energy sector for espionage, or for preparation of conflict. The NCSC report obtained by Motherboard does not mention Russia or any of its intelligence agencies by name.

Specifically with the intrusions reported in the NCSC document, the infrastructure in organizations is connecting to a set of malicious IP addresses using SMB, a data transfer protocol, as well as HTTP. The report suggests that the hackers may be trying to capture victims' passwords, and provides a set of mitigations for victims, such as turning on multi-factor authentication for industrial systems.

The NCSC report points to another, separate, non-public report issued by the FBI and US Department of Homeland Security to US businesses last month, which said the same hackers were using spear phishing emails to deliver malware-laden Word documents. The hackers then stole their victims' credentials and attempted to map out their network drives, according to the US report also obtained by Motherboard. The NCSC document does not explicitly say whether spear phishing was used against UK targets, though The Times report says Russian hackers sent emails designed to trick staff.

These UK intrusions appear to be part of a broader campaign across multiple countries and continents.

"Previous Russian intrusions focused on critical infrastructure have targeted the US and the West simultaneously. We have found evidence that this actor has targeted Turkey and Ireland and suspect that their activity is even broader," said John Hultquist, an analyst at cybersecurity firm FireEye who has not seen the NCSC report but is aware of the hacking campaign, in a Twitter direct message to Motherboard.

According to a report in CyberScoop, 18 US-based energy companies received phishing emails in the recent wave.

Robert M. Lee, founder and chief executive of Dragos, a company that focuses on the security of industrial control systems, told Motherboard in a Twitter message "Targeted intrusions into civilian infrastructure is only increasing and only becoming more worrisome." Lee has also not reviewed the NCSC report.

However, panic over these incidents would likely be premature. Lee pointed to a 2014 hacking campaign that targeted US and European infrastructure, but with specially tailored malware, rather than the other techniques in this case.

"Both are concerning but we are not to the point where tailored activity by the adversary is setting off alarm bells. At this point we must accept the threat is real but there is no real threat to safety," Lee added.

Update: This article has been updated to include comments from an NCSC spokesperson.

Got a tip? You can contact this reporter securely on Signal at +44 20 8133 5190, OTR chat at jfcox@jabber.ccc.de, or email joseph.cox@vice.com